On Sun, Jul 24, 2011 at 02:06:17PM -0400, Mark Nottingham wrote:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78>
>
> Proposal:
>
> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential.
Does this mean it's only for other 4xx or for any status ? It might have
implications with non-idempotent requests if a client can repost a request
that led to a 200 for instance.
> and,
>
> 2) Clarify that an Authentication scheme that uses WWW-Authenticate and/or 401 MUST use the Authorization header in the request, because of its implications for caching. Schemes MAY specify additional headers to be used alongside it.
This looks important indeed !
Willy